430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

APT groups chain VPN and Windows Zerologon bugs to attack US government networks

US government networks are under attack, threat actors chained VPN and Windows Zerologon flaws to gain unauthorized access to elections support systems. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint security alert to warn of attackers combining VPN and Windows Zerologon flaws to target government networks. […]

CISA BlueHammer (CVE-2026-33825)

US government networks are under attack, threat actors chained VPN and Windows Zerologon flaws to gain unauthorized access to elections support systems.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint security alert to warn of attackers combining VPN and Windows Zerologon flaws to target government networks.

According to government experts, the attacks aimed at federal and state, local, tribal, and territorial (SLTT) government networks, the agencies also reported attacks against non-government networks.

The alert didn’t provide details about the attackers, it only classify them as “advanced persistent threat (APT) actors, a circumstance that suggests the involvement of state-sponsored hackers.

“CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised,” the security alert published by the two agencies reads.

The joint alert includes information on the vulnerabilities exploited by the hackers and recommended mitigation actions for affected organizations.

The agencies warn of risk to elections information housed on government networks.

According to the Alert (AA20-283A), advanced persistent threat (APT) actors are exploiting multiple legacy vulnerabilities in combination with a the recently discovered Zerologon vulnerability (CVE-2020-1472).

The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

“CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon.” reads the report. “The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.”

Experts believe that the targets are not being selected because of their proximity to elections information, anyway, the agencies warn of the risk to elections systems operated by the government.

“CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised.” continues the alert.

CISA and FBI have observed attacks carried out by APT actors that combined two the CVE-2018-13379 and CVE-2020-1472 flaws.

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files, to upload malicious files on unpatched systems and take over Fortinet VPN servers.

Government experts explained that attackers are combining these two flaws to hijack Fortinet servers and use them as an entry point in government networks, then take over internal networks using the Zerologon flaw to compromise all Active Directory (AD) identity services.

Threat actors have then been observed using legitimate remote access tools, including Remote Desktop Protocol (RDP) and VPN, to access the targeted environment with the compromised credentials.

Recently Microsoft observed Iran-linked APT Mercury and the Russian cybercrime gang TA505 exploiting the Zerologon flaw in attacks in the wild.

Microsoft publicly shared some file indicators for the attacks along with variations of the ZeroLogon exploits its experts have detected. Many of these exploits were recompiled versions of well-known, publicly available proof-of-concept code. 

Both CISA and the FBI recommend private organizations and public agencies to patch systems and equipment promptly and diligently.

The alert also warns of other vulnerabilities that could be exploited by threat actors and urge to patch vulnerable systems immediately.

“CISA recommends network staff and administrators review internet-facing infrastructure for these and similar vulnerabilities that have or could be exploited to a similar effect, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510,  Citrix NetScaler CVE-2019-19781, and Palo Alto Networks CVE-2020-2021 (this list is not considered exhaustive).” concludes the alert.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zerologon)

[adrotate banner=”5″]

[adrotate banner=”13″]